Avoiding the worst case scenario: Balancing cost and data security

Part 1 of this series, “Avoiding the worst case scenario: Data theft during discovery” can be found here.

While most lawyers tend to become ostriches when they hear buzz words like “cybersecurity,” it may be time they pull their heads out of the sand. There are many scenarios in which corporate clients’ data is at risk, and it is up to their outside counsel to ensure that protection. A leak of corporate privileged data can cause catastrophic results, and no outside counsel wants to be responsible when that happens. The next real-world scenario below describes how a few cost-saving decisions can leave the corporate client unhappy and outside counsel fired and potentially brought up on ethics charges.

Scenario 2:

You are a large startup technology company with a big ERISA problem. Although you are a startup, you already have a major presence in the social media industry. As a player in the social media world, you are very sensitive to the protection of data, knowing if a slip-up happens, it only takes one tweet, post or email to end your business. You turn to outside counsel, ABC Firm, to handle the case. The case takes place outside jurisdictions where your outside counsel has an office, so you also hire two other firms as local counsel. To stay on budget, you implore all counsel to be cost-conscious, to seek out cost-saving measures and to reduce the hourly charges associated with the case team attorneys.

In order to share work product across the spectrum, the lead counsel, ABC Firm, has decided to use an e-discovery service provider to house all the documents. To share work product easily, ABC Firm determines that it is most cost-effective to have all documents housed on one document repository which lives on a provider’s server. As corporate counsel, you automatically assume that all documents turned over will be as safe as you keep them on your internal servers.

ABC Firm receives bids from several service providers and chooses the lowest, as it is far lower than any other company’s. That provider is hired, but no one from ABC Firm ever asks any questions about this vendor’s data security measures. ABC Firm also hires contract attorneys to supplement the review work and in turn reduces hourly charges pursuant to your request. ABC Firm never asks the contract attorney agency if it does any conflict checks or background checks on transient staff. ABC Firm pats itself on the back for saving you hundreds of thousands of dollars by using such outside providers.

In order to comply with the discovery orders, you must collect hundreds of HR files, which include names, addresses and Social Security numbers of many of your employees. These are turned over to ABC Firm, which in turn sends these files to the provider for processing and uploading to the review database. These sensitive documents go up on the review platform and are then checked by the contract attorneys for responsiveness.

Two weeks after the review begins, several of your employees have had their identities stolen. It seems odd that it happened to so many employees in one company, so suspicion arises. After several complaints to HR and thousands of dollars spent on hiring an investigator to find out if there is someone internally stealing this personal identifiable information (PII), you call outside counsel to discuss the situation. ABC Firm then realizes that both the e-discovery provider and contract attorneys had access to this information. ABC Firm keeps this realization to itself in fear that you will not only fire the firm but potentially bring it up on ethical violations.

Weeks later the investigator you hired figures out that the identities were in fact all stolen by one individual working as a contract attorney at the agency hired to review the documents. It turns out the individual had a previous record of theft in another state. The individuals whose identity had been stolen spend thousands of dollars and countless hours dealing with the issue. They seek reimbursement from you as it was your turning over of the files that compromised their PII. You are fuming as you have to reimburse all the employees plus pay the investigator fees. You are also upset that outside counsel never brought this to your attention after you mentioned the problem. You not only fire outside counsel, but you bring the firm up on ethical violations.

The ABA model rules dictate that an attorney’s obligation of supervision extends to lawyers and nonlawyers in the firm, as well as to third-party service providers. The ethical obligations regarding security of confidential client information also extends to supervision of these providers. The comments to the rule (Rule 1.18: Duties to Prospective Client) state that, “[w]hen using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations . . . including . . . the terms of any arrangement concerning the protection of client information.”

In negotiating contracts with third-party providers, attorneys must be sure that their ethical obligations regarding technological safeguards of client information, as well as any possible added requirements in the attorney-client engagement letter related to such safeguards, are passed along to these vendors. In practice, this duty to supervise eliminates the once reactive and last-minute approach to contracting with outside vendors to support one’s litigation. It is no longer acceptable, nor safe, to randomly select a provider based on price or relationship. The vetting of providers must now include the analysis of encryption policies, physical and virtual security measures and, most effectively, a full-scale, on-site audit. This scrutiny can add days and weeks to a litigation time frame, so it is best to conduct such evaluations well in advance to ensure the hiring of a reputable and secure provider, thus limiting exposure to ethics violations.

As outside counsel, it is imperative that you not only assess your own the data security policies, but you do the same for any third-party providers that will have access to your clients’ data. If a provider is hosting client data, you are obligated to audit its security measures to ensure the safety of that data. This same obligation extends to the use of contract attorneys. It is outside counsel’s obligation to ensure that conflicts and background checks are run. If a proper background check had been run in the example above, it would have found this contract attorney had a prior record. It is also recommended that references be checked to ensure that you only contract with reputable providers. Because outside counsel did none of these things in this scenario, ABC Firm most likely violated its ethical duty.

However, as corporate counsel, it is never a bad idea to be involved in these decisions, as it is ultimately your data that is at stake. You can let outside counsel seek out and negotiate terms with providers, but you should make sure that you let outside counsel know your security measures so they can be matched by anyone else touching your data. Since a data breach is good for no one, everyone should have their heads out of the sand and learn to play in the sandbox together.